[MongoDB] Reduce permissions required

[rkistner]

Currently, we always use a global changestream, which needs the readAnyDatabase permission on Atlas.

This is needed when sync rules reference multiple databases in the same cluster. We want to use a single changestream for the entire replication process, so having read permissions for each individual database is not sufficient when using multiple databases. Replicating multiple databses is not a common use case though, and the permissions needed is a problem for some users.

This now changes to opening a changestream on the specific database if only the default database is used. This effectively reduces the required permissions to just read@mydb.

So overall the current permissions required for Atlas are:

readWrite@mydb._powersync_checkpoints
readAnyDatabase@admin

And after the change it would be:

readWrite@mydb._powersync_checkpoints
read@mydb

Note that for the beta, we'd likely use document pre/post-images for each replicated collection, which requires the collMod permission if we set it up automatically. This would require the dbAdmin@mydb permission on Atlas. However, users will still have the option to instead configure that manually and just use read@mydb.

[changeset-bot[bot]]

🦋 Changeset detected

Latest commit: c6307d8c063f7728d727c7fe27b890277b3c1828

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

| Name | Type | | --------------------------------- | ----- | | @powersync/service-module-mongodb | Minor | | @powersync/service-image | Patch |

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR